EN ES PT

Phishing Analysis

Detailed analysis of captured phishing page

Back to Stats

Captura Visual

Screenshot of roblox.com.py

Información de Detección

https://roblox.com.py/games/115790827621758/Game-Loader?privateServerLinkCode=92373029262230035677041060792855
Detected Brand
Roblox
Country
International
Confidence
100%
HTTP Status
200
Report ID
036e5ccc-ceb…
Analyzed
2026-01-27 23:53

Hashes de Contenido (Similitud HTML)

Used to detect similar phishing pages based on HTML content

Algorithm Hash Value
CONTENT TLSH
T19E13DA72A120283761AFA3D5F515B70691D3E70ECB839BE2A2F463760AD9C31FD1341A
CONTENT ssdeep
768:eHXB1ly+QtF8uB1bykQPKrvrvEZ3RkWPvBRG8AEF9NpBxJ8m8:eHXB1lybtF5B13jMpRXZ9NTxJ8m8

Hashes Visuales (Similitud de Captura)

Used to detect visually similar phishing pages based on screenshots

Algorithm Hash Value
VISUAL pHash
b03057cece2c7569
VISUAL aHash
c7c7c3c7fffffffe
VISUAL dHash
ae1e9e1e221a31c4
VISUAL wHash
42c7c3c7ffff0000
VISUAL colorHash
07007000080
VISUAL cropResistant
ae1e9e1e221a31c4,171f1b1b17065555

Análisis de Código

Risk Score 100/100
Threat Level ALTO
⚠️ Phishing Confirmed
🎣 Credential Harvester 🎣 OTP Stealer 🎣 Card Stealer 🎣 Banking 🎣 Personal Info

🔬 Threat Analysis Report

• Amenaza: Suplantación de juego de Roblox y kit de phishing para robo de credenciales
• Objetivo: Usuarios de Roblox
• Método: Presenta una página falsa de juegos de Roblox con potencial robo de credenciales mediante formularios falsos.
• Exfil: Probablemente intenta robar las credenciales del usuario o la información relacionada con el juego.
• Indicadores: Dominio no oficial (roblox.com.py), potencial de formularios falsos e imitación del sitio web de Roblox.
• Riesgo: ALTO - Riesgo de robo de credenciales y posible compromiso de cuentas de Roblox.

🔐 Credential Harvesting Forms

🔒 Obfuscation Detected

  • atob
  • eval
  • fromCharCode
  • unescape
  • hex_escape
  • unicode_escape
  • base64_strings

🎯 Kit Endpoints

  • /catalog
  • /login?returnUrl=5405063603844235
  • https://roblox.com.py/info/blog?locale=en_us
  • https://roblox.com.py/catalog?CatalogContext=1&Keyword=

📡 API Calls Detected

  • GET
  • https://en.help.roblox.com/hc/articles/7997207259156
  • get
  • POST
  • https://ro.blox.com/Ebh5?pid=experiencestart_mobileweb&is_retargeting=false&af_dp=
  • https://apis.

📤 Form Action Targets

  • /search

📊 Desglose de Puntuación de Riesgo

Total Risk Score
100/100

Contributing Factors

Active Phishing Kit
Detected Credential Harvester, OTP Stealer, Card Stealer, and Personal Info harvesting kits with real-time form interception capabilities.
Domain Impersonation
Domain 'roblox.com.py' mimics the official Roblox domain ('roblox.com') using a typosquatting technique with a country-code top-level domain (ccTLD).
Obfuscation Techniques
258 obfuscation techniques detected in JavaScript files, indicating deliberate evasion of static analysis and manual inspection.
Malicious JavaScript Files
Large JavaScript files (3.4 MB total) with no legitimate purpose, likely containing malicious payloads for credential and data harvesting.

🔬 Análisis Integral de Amenazas

Tipo de Amenaza
Banking Credential Harvester
Objetivo
Roblox users (International)
Método de Ataque
Brand impersonation + credential harvesting forms + obfuscated JavaScript
Canal de Exfiltración
HTTP POST to backend
Evaluación de Riesgo
CRITICAL - Automated credential harvesting with HTTP POST to backend

⚠️ Indicators of Compromise

  • Kit types: Credential Harvester, OTP Stealer, Card Stealer, Banking, Personal Info
  • 258 obfuscation techniques

🏢 Análisis de Suplantación de Marca

Impersonated Brand
Roblox
Official Website
https://www.roblox.com
Fake Service
Fake Roblox game loader with private server access

⚔️ Metodología de Ataque

Primary Method: Credential Harvesting

The phishing kit is designed to capture Roblox account credentials by presenting a fake login form. The form likely intercepts user inputs in real-time and transmits them to a remote server controlled by the attacker.

Secondary Method: Personal Information Theft

In addition to credentials, the kit includes modules for harvesting personal information such as email addresses, phone numbers, and payment details, which can be used for further exploitation or sold on underground markets.

🌐 Indicadores de Compromiso de Infraestructura

Domain Information

Domain
roblox.com.py
Registered
Unknown
Registrar
None
Status
Age unknown

🦠 Malicious Files

Main File
File Size

Large JavaScript file containing obfuscated code for credential harvesting and personal information theft.

📊 Diagrama de Flujo de Ataque

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Roblox offer or alert            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK                           │
│    - Redirects to fake Roblox login page                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL HARVESTING                                  │
│    - Victim enters username/password in fake form         │
│    - Form captures input                                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Credentials sent via HTTP POST to attacker server    │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Operator Language
English (1%)
Total Code Size
3,4 MB

🔗 API Endpoints Detected

Other
108

🔐 Obfuscation Detected

  • : None
  • : None
  • : Light
  • : Heavy
  • : None
  • : None
  • : Light
  • : None
  • : None
  • : Light
  • : Light
  • : Light
  • : None
  • : Light
  • : None
  • : Heavy
  • : None
  • : Heavy
  • : Heavy
  • : Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake Roblox offer or alert            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. VICTIM CLICKS MALICIOUS LINK                           │
│    - Redirects to fake Roblox login page                 │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL HARVESTING                                  │
│    - Victim enters username/password in fake form         │
│    - Form captures input                                  │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                      │
│    - Credentials sent via HTTP POST to attacker server    │
└──────────────────────────────────────────────────────────┘

🎯 Malicious Files Identified

Similar Websites

Pages with identical visual appearance (based on perceptual hash)

Screenshot
Roblox
https://roblox.com.ly/games/71062734985098/Untitled-Game?pri...
Mar 24, 2026

Scan History for roblox.com.py

Found 10 other scans for this domain

😰
"Nunca pensé que me pasaría a mí"
Esto dicen las 2.3 millones de víctimas cada año. No esperes a ser una estadística.